colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14b3ea2789
nixpkgs/nixos/modules/services/networking/strongswan.nix
Jade Lovelace 6c5ab28fce nixos: fix a bunch of services missing dep on network-online.target 
This was done by generating a truly hilarious configuration:

rg 'services\.[^.]+\.enable\t' opts-tags | cut -f1 > allonconfig.nix

The following were not tested due to other evaluation errors. They
should probably be manually audited.
services.amule
services.castopod
services.ceph
services.chatgpt-retrieval-plugin
services.clamsmtp
services.clight
services.dante
services.dex
services.discourse
services.dwm-status
services.engelsystem
services.foundationdb
services.frigate
services.frp
services.grocy
services.guacamole-client
services.hedgedoc
services.home-assistant
services.honk
services.imaginary
services.jitsi-meet
services.kerberos_server
services.limesurvey
services.mastodon
services.mediawiki
services.mobilizon
services.moodle
services.mosquitto
services.nextcloud
services.nullmailer
services.patroni
services.pfix-srsd
services.pgpkeyserver-lite
services.postfixadmin
services.roundcube
services.schleuder
services.self-deploy
services.slskd
services.spacecookie
services.statsd
services.step-ca
services.sympa
services.tsmBackup
services.vdirsyncer
services.vikunja
services.yandex-disk
services.zabbixWeb
2024-01-19 00:11:34 -08:00

172 lines
4.9 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, lib, pkgs, ... }:
let
inherit (builtins) toFile;
inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList
mkIf mkEnableOption mkOption types literalExpression optionalString;
cfg = config.services.strongswan;
ipsecSecrets = secrets: toFile "ipsec.secrets" (
concatMapStringsSep "\n" (f: "include ${f}") secrets
);
ipsecConf = {setup, connections, ca}:
let
# https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf
makeSections = type: sections: concatStringsSep "\n\n" (
mapAttrsToList (sec: attrs:
"${type} ${sec}\n" +
(concatStringsSep "\n" ( mapAttrsToList (k: v: " ${k}=${v}") attrs ))
) sections
);
setupConf = makeSections "config" { inherit setup; };
connectionsConf = makeSections "conn" connections;
caConf = makeSections "ca" ca;
in
builtins.toFile "ipsec.conf" ''
${setupConf}
${connectionsConf}
${caConf}
'';
strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" ''
charon {
${optionalString managePlugins "load_modular = no"}
${optionalString managePlugins ("load = " + (concatStringsSep " " enabledPlugins))}
plugins {
stroke {
secrets_file = ${secretsFile}
}
}
}
starter {
config_file = ${ipsecConf { inherit setup connections ca; }}
}
'';
in
{
options.services.strongswan = {
enable = mkEnableOption (lib.mdDoc "strongSwan");
secrets = mkOption {
type = types.listOf types.str;
default = [];
example = [ "/run/keys/ipsec-foo.secret" ];
description = lib.mdDoc ''
A list of paths to IPSec secret files. These
files will be included into the main ipsec.secrets file with
the `include` directive. It is safer if these
paths are absolute.
'';
};
setup = mkOption {
type = types.attrsOf types.str;
default = {};
example = { cachecrls = "yes"; strictcrlpolicy = "yes"; };
description = lib.mdDoc ''
A set of options for the config setup section of the
{file}`ipsec.conf` file. Defines general
configuration parameters.
'';
};
connections = mkOption {
type = types.attrsOf (types.attrsOf types.str);
default = {};
example = literalExpression ''
{
"%default" = {
keyexchange = "ikev2";
keyingtries = "1";
};
roadwarrior = {
auto = "add";
leftcert = "/run/keys/moonCert.pem";
leftid = "@moon.strongswan.org";
leftsubnet = "10.1.0.0/16";
right = "%any";
};
}
'';
description = lib.mdDoc ''
A set of connections and their options for the conn xxx
sections of the {file}`ipsec.conf` file.
'';
};
ca = mkOption {
type = types.attrsOf (types.attrsOf types.str);
default = {};
example = {
strongswan = {
auto = "add";
cacert = "/run/keys/strongswanCert.pem";
crluri = "http://crl2.strongswan.org/strongswan.crl";
};
};
description = lib.mdDoc ''
A set of CAs (certification authorities) and their options for
the ca xxx sections of the {file}`ipsec.conf`
file.
'';
};
managePlugins = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
If set to true, this option will disable automatic plugin loading and
then tell strongSwan to enable the plugins specified in the
{option}`enabledPlugins` option.
'';
};
enabledPlugins = mkOption {
type = types.listOf types.str;
default = [];
description = lib.mdDoc ''
A list of additional plugins to enable if
{option}`managePlugins` is true.
'';
};
};
config = with cfg;
let
secretsFile = ipsecSecrets cfg.secrets;
in
mkIf enable
{
# here we should use the default strongswan ipsec.secrets and
# append to it (default one is empty so not a pb for now)
environment.etc."ipsec.secrets".source = secretsFile;
systemd.services.strongswan = {
description = "strongSwan IPSec Service";
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ kmod iproute2 iptables util-linux ]; # XXX Linux
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = {
STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
};
serviceConfig = {
ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork";
};
preStart = ''
# with 'nopeerdns' setting, ppp writes into this folder
mkdir -m 700 -p /etc/ppp
'';
};
};
}
Reference in New Issue View Git Blame Copy Permalink